Create a Service Account in Wiz under Settings > Service Accounts > Add Service Account, selecting type Custom Integration (GraphQL API), and save the client ID and client secret.
Obtain a bearer token by POSTing to https://auth.app.wiz.io/oauth/token with grant_type=client_credentials, client_id, client_secret, and audience=wiz-api; include the returned access_token as Authorization: Bearer YOUR_TOKEN on subsequent requests.
Determine your tenant's GraphQL endpoint from the Wiz portal (format: https://api.{region}.app.wiz.io/graphql, where region is us1, us2, eu1, eu2, etc.).
Query open issues with a GraphQL POST containing a query such as { issues(filterBy: { status: [OPEN], severity: [CRITICAL, HIGH] }, first: 100) { nodes { id title severity status createdAt } pageInfo { hasNextPage endCursor } } }.
Page through results using the endCursor value in pageInfo, passing it as the after argument in subsequent queries until hasNextPage is false.
Known gotchas
OAuth access tokens expire; implement token refresh logic before the expiry (check the expires_in field in the token response) to avoid mid-pipeline 401 errors.
The Wiz GraphQL schema evolves; use introspection queries in staging to validate field availability before deploying production pipelines, especially after Wiz platform upgrades.
Filtering by both severity and status in the same query significantly reduces payload size; omitting filters on large tenants can return extremely large responses and hit query complexity limits.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp